Top stories
AI agent finds 21 zero-days in FFmpeg for about $1,000
- Category: Security
- Status: confirmed
- Sources: DepthFirst research, HN discussion
- Summary: DepthFirst reports its autonomous security agent found 21 previously unknown vulnerabilities in FFmpeg at a cost of about $1,000, spanning the TS demuxer, VP9 decoder, swscale, RTP depacketizers, DASH demuxer, RTSP server, RTMP client, and the option parser. Nine carry CVE identifiers (CVE-2026-39210 through CVE-2026-39218); the remainder are fixed upstream and awaiting numbers. The most severe, DFVULN-127, is a heap buffer overflow in the AV1 RTP depacketizer where a single 183-byte packet over a network-reachable RTSP stream can redirect execution to an unauthenticated RCE primitive. Several bugs had been latent for 15 to 20 years.
- Comments: HN discussion separated genuine memory-safety findings from agent-volume noise and debated maintainer burden from AI-generated reports against FFmpeg.
- Why it matters: FFmpeg is embedded across media pipelines and browsers, so network-reachable RTP and RTSP overflows are broadly exposed, and the result shows agent-driven bug finding is now cheap enough to scale.
- Follow-up: Track CVE assignment for the remaining 12 findings and downstream re-vendoring of patched FFmpeg.